CVE-2026-45577
Deferred Deferred - Pending Action
Authentication Bypass in Neotoma via Loopback Socket

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45577
EUVD
EUVD-2026-33367
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
markmhendrickson neotoma From 0.6.0 (inc) to 0.11.1 (exc)
markmhendrickson neotoma 0.11.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45577 is an authentication bypass vulnerability in Neotoma versions 0.6.0 to before 0.11.1. The issue arises when public requests that are reverse-proxied and received over a loopback socket without a Bearer token are mistakenly treated as local requests by the application.

This causes the REST authentication middleware to resolve these unauthenticated requests as if they came from the local development user, allowing unauthorized access to the Inspector and related API endpoints without credentials.

The vulnerability occurs in deployments behind a reverse proxy or same-host tunnel forwarding traffic to the Node process over loopback. It was fixed in version 0.11.1 by changing the authentication logic to fail closed in production unless loopback trust is explicitly enabled.

Impact Analysis

This vulnerability can allow unauthorized users to access sensitive parts of the Neotoma application, such as the Inspector and API endpoints, without providing any authentication credentials.

As a result, production data could be exposed to the public or attackers, potentially leading to data leaks or unauthorized manipulation of the application.

The impact is especially significant in environments where Neotoma is deployed behind reverse proxies or tunnels that forward traffic over loopback sockets, as these setups are vulnerable to this authentication bypass.

Detection Guidance

This vulnerability occurs when public reverse-proxied requests are treated as local loopback connections without a Bearer token, allowing unauthenticated access to the Inspector and API endpoints.

To detect this on your system, you should monitor incoming requests forwarded over loopback sockets and check if any requests lack Bearer tokens but are still treated as local.

You can use network monitoring tools or commands to inspect traffic on loopback interfaces (e.g., lo) and analyze HTTP headers for missing Authorization Bearer tokens.

  • Use tcpdump or tshark to capture traffic on the loopback interface: tcpdump -i lo -A 'tcp port 80 or tcp port 443'
  • Filter captured HTTP requests to identify those without an Authorization header or Bearer token.
  • Check your Neotoma logs for any unauthenticated requests being resolved as the local development user.
Mitigation Strategies

The primary mitigation is to upgrade Neotoma to version 0.11.1 or later, where the vulnerability is fixed.

If upgrading immediately is not possible, ensure that the environment variable NEOTOMA_TRUST_PROD_LOOPBACK is not set to 1 in production, as this disables the safe default behavior.

Review your reverse proxy and loopback socket configurations to avoid forwarding public requests as local loopback traffic.

Verify that authentication middleware properly rejects unauthenticated requests and does not treat them as local development users.

Compliance Impact

This vulnerability allows unauthenticated access to the Inspector and related API endpoints, potentially exposing production data without proper credentials.

Such unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

By bypassing authentication, the vulnerability undermines the confidentiality and integrity of data, increasing the risk of non-compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart